[gnso-rds-pdp-wg] @EXT WHOIS info and investigation

Ayden Férdeline icann at ferdeline.com
Mon Jul 25 22:58:14 UTC 2016


Thanks for sharing this, Nick.
Use case: Governments use the WHOIS to investigate with 'crimes in action', and
the current level of access enables them to mitigate threats in a timely manner.
Governments have ample mechanisms through which they can obtain information
about a domain name registrant. I would put forward that sensitive,
personally-identifiable information should only be released to State actors as a
result of a judicial order where due process has been followed.
- Ayden





On Mon, Jul 25, 2016 5:27 PM, Nick Shorey nick.shorey at culture.gov.uk wrote:
Yep certainly wouldn't want to jump the gun Volker.
Use case: Governments use the WHOIS to investigate with 'crimes in action', and
the current level of access enables them to mitigate threats in a timely manner.
=)
Nick
Nick Shorey BA(Hons) MSc. Senior Policy Advisor | Global Internet Governance Department for Culture, Media & Sport HM Government | United Kingdom
Email: nick.shorey at culture.gov.uk Tel: +44 (0)7741 256 320 Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin
On 25 July 2016 at 12:45, Volker Greimann < vgreimann at key-systems.net > wrote:
I think we are jumping the gun again. Let's rather focus on the use cases and
how they should be structured.



Am 25.07.2016 um 12:59 schrieb Nick Shorey:
Thanks everyone for sharing these useful articles. Would love to meet Krebs some
day.
As Rod mentioned, WHOIS often being the first point of research in many LEA
investigations, and though whilst it might not always be the ultimate 'smoking
gun' piece of evidence presented in court, the importance of WHOIS data in the
initial stages of an investigation must not be underplayed.
Another observation I'd make is that with things like malware, online pharmacies
and threat to life scenarios where WHOIS data can be crucial, we're often
dealing with what I call 'crime in action'. The quicker you can build a holistic
understanding of the threat, the more impactive your action can be - and the
fewer people that get harmed.
The current level of access to WHOIS definitely supports 'timely' investigation
which can make a huge difference in such cases, and as we get further down the
track on this PDP, I think its important to note this element in our
deliberations.
Keep up the great work.
Nick
Nick Shorey BA(Hons) MSc. Senior Policy Advisor | Global Internet Governance Department for Culture, Media & Sport HM Government | United Kingdom
Email: nick.shorey at culture.gov.uk Tel: +44 (0)7741 256 320 Skype: nick.shorey Twitter: @nickshorey LinkedIn: www.linkedin.com/in/nicklinkedin
On 21 July 2016 at 00:28, Greg Shatan < gregshatanipc at gmail.com > wrote:
While we're at it, Krebs also covered a case that I worked on in its early
stages: 
http://krebsonsecurity.com/2016/07/serial-swatter-stalker-and-doxer-mir-islam-gets-just-1-year-in-jail/ . One of my clients had sensitive information (a credit report, illegally
acquired, along with social security number, bank account information, etc.,
etc.) exposed on a website run by Mir Islam; a number of other people had credit
reports and other information posted. Through a combination of Whois (both ccTLD
and gTLD) and Zone File information and other available information, we were
able to get the site taken offline, but not before significant distress and
potential for damage occurred. The site went back up (and quicklydown) several
more times, as shadier and shadier web hosts were used. The FBI and Secret
Service quickly got involved, and further work shifted to them, thought we were
kept informed (to the extent possible) of their activities in shutting this
operation down. I didn't realize until I read the Krebs article how much other
tortious and criminal activity this person and his colleagues were involved in.
During this case, I had to research the potential consequences of an adult
changing their social security number (it's not easy, but it can be done). The
consequences are not pretty, because your credit history, medical history and a
lot of other information is tied to your social security number. When you change
a social security number, none of that transfers over, so you have to go through
a lot of steps to put your life back together. Ultimately, the solution seemed
worse than the problem, especially since we were able to get the site taken down
so quickly.
Greg











Gregory S. Shatan | Partner
McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167
T: 212-609-6873
C: 917-816-6428
F: 212-416-7613
gshatan at mccarter.com | www.mccarter.com

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK
EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC


On Wed, Jul 20, 2016 at 3:35 PM, Terri Stumme < terri.stumme at legitscript.com > wrote:
I would like to weigh in here and recommend, because we all have so much extra
time, that you take a few minutes to read the following article (there are many
others) and Wikipedia bio related to Paul LeRoux, specifically, please read
Section 3, RX Limited in the Wikipedia bio. It is important to point out that
Paul LeRoux's company, ABSystems was an ICANN accredited registrar. Not only was
he running one of the largest Internet pharmacy networks, he was the SPAM king
and responsible for much (not all) of the Internet pharmacy spam everyone has
likely received at some point in time. It is also important to point out that --
there are others!
( 
https://news.vice.com/article/paul-e-roux-joseph-hunter-rambo-the-dea-meth-and-cocaine ) ( https://en.wikipedia.org/wiki/Paul-Le_Roux )
Background: This DEA case began with the investigation of LeRoux's online
pharmacy business (I worked at DEA for 16-1/2 years, ten of which I spent
working in the Internet pharmacy investigations section). The RX Limited network
was comprised of approximately 25,000 domain names, and this investigation, as
well as all Internet pharmacy investigations, begin with collecting WHOIS and
DNS information for the domain names. Typically there are several individuals
and organizations involved in the operation of an online pharmacy network, and
typically there are hundreds of domain names affiliated with the network. WHOIS
information is critical to the investigation, and is utilized to map out the
network and identify domain name ownership. Even if bogus WHOIS information is
utilized, it is still pertinent -- perhaps the same bogus information is given
for more than one domain name. We then know that those domain names with the
same bogus information are likely part of the same network.
Over the years, there have been several requests from ICANN and registrars for
LE to provide case examples. I cannot tell you the number of times I wish I were
able to talk about this particular case. The reality is that talking about
ongoing investigations, and even certain aspects of closed investigations is
forbidden. There is a trust factor that must be considered here -- we are not
making this stuff up -- it's real, and there is very dangerous criminal activity
happening facilitated via the Internet, and whatever we need to do to curb this
activity should be the goal of any upstanding, moral, law-abiding individual
(organization).
I do not claim to have all the answers here, nor how we get to where we need to
be, but I firmly believe that open, unrestricted access to WHOIS information
that includes no fewer data points than what is currently available, is
absolutely critical.


On Wed, Jul 20, 2016 at 12:04 AM, Mark Svancarek via gnso-rds-pdp-wg < gnso-rds-pdp-wg at icann.org > wrote:
Here’s one that was used during a criminal investigation though it was found by
non-law-enforcement people.


http://thinkprogress.org/justice/2015/06/20/3672201/alleged-dylann-roof-racist-manifesto-revealed/





From: Rod Rasmussen [mailto: rrasmussen at infoblox.com ]
Sent: Tuesday, July 19, 2016 5:25 PM
To: Mounier, Grégory < gregory.mounier at europol.europa.eu >
Cc: Chuck Gomes < cgomes at verisign.com   Mark Svancarek < marksv at microsoft.com   Andrew Sullivan < ajs at anvilwalrusden.com   gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] @EXT WHOIS info and investigation



Krebs is always a great read - really knows his stuff technically and as a
journalist. If you liked this, check out his book Spam Nation for a whole
history of this and some of the main actors behind it throughout most of the
last ten years.



This is a fairly typical OSINT (Open Source Intelligence) type of investigation.
You’d think criminal “masterminds” wouldn’t use horrible operational security
practices like using their same personal information on social media accounts,
malicious and personal domain registrations, embedded in malcode, or in e-mails.
Yet they do every day and this is a major source of cybersecurity professionals
being able to track down all manner of undesirable Internet activities from
services abuse to flat-out illegal acts in most if not all jurisdictions.



A couple of additional things to note.



1) Law enforcement had nothing to do with this particular story/investigation.
This is true for most cybersecurity operational activity and investigations -
it’s largely a private-sector affair with security companies of various flavors
looking at the malware, spam, malvertizing, etc. that crosses their paths. From
that starting point they try to figure out things like what else is tied to it
(so I can block or kill it), or “who’s doing this”, or “what are they really up
to?”



2) There are a lot of “established” service providers around the world that have
heavy levels of abuse on them over a very long time. It is really hard at times
to separate “bad guys” from “incompetent” or “uncaring" operators. Collection of
data like this can lead to connections between various activities that can put a
much better color on their hats.



3) To then bring charges that could actually affect a subject’s life though, any
and all of this kind of research is merely a starting point that the police then
use to inform a much more traditional investigation that involves formal records
requests, court-ordered actions like search warrants or wiretaps, etc. so they
can develop court admissible evidence. A whois query result is not evidence, and
no one gets thrown in jail for having a dodgy domain registered in their name.



Cheers,



Rod



On Jul 19, 2016, at 3:03 PM, Mounier, Grégory < gregory.mounier at europol.europa.eu > wrote:



Dear all,

Here is a nice example of how WHOIS information is used to investigate unlawful
activities:

http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/

Greg




--------------------------------------------------------------------------------

From: gnso-rds-pdp-wg-bounces at icann.org on behalf of Gomes, Chuck
Sent: 18 July 2016 20:26:34
To: 'Mark Svancarek'; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about nature of the
service (was Re: The overflowing list )

Thanks Mark.

Chuck

-----Original Message-----
From: Mark Svancarek [ mailto:marksv at microsoft.com ]
Sent: Monday, July 18, 2016 1:40 PM
To: Gomes, Chuck; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org
Subject: RE: [gnso-rds-pdp-wg] An important technical consideration about nature
of the service (was Re: The overflowing list )

I'll take a stab at it.
I've also asked our IP/Brand people and digital crimes people to help me
document how Microsoft uses WhoIs data today, but not ETA when that will be
ready.

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [ mailto:gnso-rds-pdp-wg-bounces at icann.org ] On Behalf Of Gomes, Chuck
Sent: Saturday, July 16, 2016 6:29 AM
To: 'Andrew Sullivan' < ajs at anvilwalrusden.com   gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about nature
of the service (was Re: The overflowing list )

Any volunteers to develop Andrew's suggestions into use cases?

Chuck

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [ mailto:gnso-rds-pdp-wg-bounces at icann.org ] On Behalf Of Andrew Sullivan
Sent: Saturday, July 16, 2016 1:00 AM
To: gnso-rds-pdp-wg at icann.org
Subject: [gnso-rds-pdp-wg] An important technical consideration about nature of
the service (was Re: The overflowing list )

Thanks, Stephanie, for the quick issue list. There's one thing that I want to
draw out here so that we can keep it foremost when thinking of
issues:

On Sat, Jul 16, 2016 at 12:05:10AM -0400, Stephanie Perrin wrote:

> * Where the RDS (whether a central database or federated or completely
> disaggregated) resides becomes important for law enforcement access.

This "where data resides" issue is bound to vex us, no matter what kind of
policy we come up with. But it's really important to keep in mind that the
different styles of system design will yield very different properties.

In the taxonomy I offered before
( 
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmm.icann.org%2fpipermail%2fgnso-rds-pdp-wg%2f2016-June%2f000951.html&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d3d1ttF1Z5Kn9M1VZ1RKPFSppMzJHpCaIKM1LHynBBQ%3d ),
models I and V have a clear since answer to, "Where does the data reside?"
because they have a single database backing them up. In models II-IV, however,
the answer to, "Where does the data reside?" is actually not entirely
meaningful. There are multiple places where the data are, and for data with
respect to any given domain name each datum might be in a different place.
(Indeed, part of the design of RDAP is precisely to make such arrangements
easier to deal with.)

It is therefore better to try to find a way, consistent with all of the various
requirements documents, to answer some other questions.
I think these might be helpful in building use cases:

1. For any given datum, who has control of and access to the datum?

2. For any given datum, what are the conditions under which the
datum ought to be accessible?

3. For any given set of related data, how can it be accessed?

Notice that answering (3) will provides use cases for data access, whereas (1)
and (2) provide for limit conditions on how and when use cases might be apply.

I hope these framing questions are helpful in figuring out which use cases we
can bring to bear on requirements.

Best regards,

A

--
Andrew Sullivan
ajs at anvilwalrusden.com
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org

https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org

https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

*******************

DISCLAIMER : This message is sent in confidence and is only intended for the
named recipient. If you receive this message by mistake, you may not use, copy,
distribute or forward this message, or any part of its contents or rely upon the
information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails
from any computer. This message does not constitute a commitment by Europol
unless otherwise indicated.

******************* _______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg




_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



--
Terri Stumme Investigative Analyst
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystemswww.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken 
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu 

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.netwww.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystemswww.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken 
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu 

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.






_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



Ayden Férdeline Statement of Interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160725/ccea9aba/attachment.html>


More information about the gnso-rds-pdp-wg mailing list